Slideshare uses cookies to improve functionality and performance, and to provide you with relevant advertising. If you continue browsing the site, you agree to the use of cookies on this website. See our User Agreement and Privacy Policy.

Slideshare uses cookies to improve functionality and performance, and to provide you with relevant advertising. If you continue browsing the site, you agree to the use of cookies on this website. See our Privacy Policy and User Agreement for details.

17.
Motivation
The Client-Side Honeypot Overview
The CHP System Classiﬁcation
Attack Patterns Client-side honeypot projects
Future works
Deﬁnition
The client-side honeypot is one trap computer which simulates or
drives the client-side softwares to actively and automatically search
for attacks, record system activities and judge which system
activities are malicious for better knowing about client-side attack
patterns.
Bing Yuan Client-Side Honeypots

18.
Motivation
The Client-Side Honeypot Overview
The CHP System Classiﬁcation
Attack Patterns Client-side honeypot projects
Future works
Characteristics
client-side: it simulates/drives client-side software and does
not provide services
active: because it can not lure attacks, it must actively search
for attacks
automatic: because huge resource should be visited,
client-side honeypot’s tasks must be automated
identify: it must can judge which system activities are normal
and which are malicious
Bing Yuan Client-Side Honeypots

19.
Motivation
The Client-Side Honeypot Overview
The CHP System Classiﬁcation
Attack Patterns Client-side honeypot projects
Future works
Characteristics
client-side: it simulates/drives client-side software and does
not provide services
active: because it can not lure attacks, it must actively search
for attacks
automatic: because huge resource should be visited,
client-side honeypot’s tasks must be automated
identify: it must can judge which system activities are normal
and which are malicious
Bing Yuan Client-Side Honeypots

20.
Motivation
The Client-Side Honeypot Overview
The CHP System Classiﬁcation
Attack Patterns Client-side honeypot projects
Future works
Characteristics
client-side: it simulates/drives client-side software and does
not provide services
active: because it can not lure attacks, it must actively search
for attacks
automatic: because huge resource should be visited,
client-side honeypot’s tasks must be automated
identify: it must can judge which system activities are normal
and which are malicious
Bing Yuan Client-Side Honeypots

21.
Motivation
The Client-Side Honeypot Overview
The CHP System Classiﬁcation
Attack Patterns Client-side honeypot projects
Future works
Characteristics
client-side: it simulates/drives client-side software and does
not provide services
active: because it can not lure attacks, it must actively search
for attacks
automatic: because huge resource should be visited,
client-side honeypot’s tasks must be automated
identify: it must can judge which system activities are normal
and which are malicious
Bing Yuan Client-Side Honeypots

22.
Motivation
The Client-Side Honeypot Overview
The CHP System Classiﬁcation
Attack Patterns Client-side honeypot projects
Future works
Classiﬁcation
high-interaction and low interaction
according to the development technologies:
integrity control: take two snapshots of the system before and
after crawling, then compare these two snapshots to judge if
the system integrity is changed
real-time monitoring: during the crawling we intercept
important system calls and record the system activities caused
by these system calls using hook technologies
more eﬃcient: it does not need system snapshots
more precise: every important system calls are intercepted
Bing Yuan Client-Side Honeypots

23.
Motivation
The Client-Side Honeypot Overview
The CHP System Classiﬁcation
Attack Patterns Client-side honeypot projects
Future works
Classiﬁcation
high-interaction and low interaction
according to the development technologies:
integrity control: take two snapshots of the system before and
after crawling, then compare these two snapshots to judge if
the system integrity is changed
real-time monitoring: during the crawling we intercept
important system calls and record the system activities caused
by these system calls using hook technologies
more eﬃcient: it does not need system snapshots
more precise: every important system calls are intercepted
Bing Yuan Client-Side Honeypots

24.
Motivation
The Client-Side Honeypot Overview
The CHP System Classiﬁcation
Attack Patterns Client-side honeypot projects
Future works
Classiﬁcation
high-interaction and low interaction
according to the development technologies:
integrity control: take two snapshots of the system before and
after crawling, then compare these two snapshots to judge if
the system integrity is changed
real-time monitoring: during the crawling we intercept
important system calls and record the system activities caused
by these system calls using hook technologies
more eﬃcient: it does not need system snapshots
more precise: every important system calls are intercepted
Bing Yuan Client-Side Honeypots

25.
Motivation
The Client-Side Honeypot Overview
The CHP System Classiﬁcation
Attack Patterns Client-side honeypot projects
Future works
Classiﬁcation
high-interaction and low interaction
according to the development technologies:
integrity control: take two snapshots of the system before and
after crawling, then compare these two snapshots to judge if
the system integrity is changed
real-time monitoring: during the crawling we intercept
important system calls and record the system activities caused
by these system calls using hook technologies
more eﬃcient: it does not need system snapshots
more precise: every important system calls are intercepted
Bing Yuan Client-Side Honeypots

26.
Motivation
The Client-Side Honeypot Overview
The CHP System Classiﬁcation
Attack Patterns Client-side honeypot projects
Future works
Classiﬁcation
high-interaction and low interaction
according to the development technologies:
integrity control: take two snapshots of the system before and
after crawling, then compare these two snapshots to judge if
the system integrity is changed
real-time monitoring: during the crawling we intercept
important system calls and record the system activities caused
by these system calls using hook technologies
more eﬃcient: it does not need system snapshots
more precise: every important system calls are intercepted
Bing Yuan Client-Side Honeypots

27.
Motivation
The Client-Side Honeypot Overview
The CHP System Classiﬁcation
Attack Patterns Client-side honeypot projects
Future works
Classiﬁcation
high-interaction and low interaction
according to the development technologies:
integrity control: take two snapshots of the system before and
after crawling, then compare these two snapshots to judge if
the system integrity is changed
real-time monitoring: during the crawling we intercept
important system calls and record the system activities caused
by these system calls using hook technologies
more eﬃcient: it does not need system snapshots
more precise: every important system calls are intercepted
Bing Yuan Client-Side Honeypots

28.
Motivation
The Client-Side Honeypot Overview
The CHP System Classiﬁcation
Attack Patterns Client-side honeypot projects
Future works
Client-side honeypot projects (1)
HoneyC: low-interaction client-side honeypot developed by
Christian Seifert in 2006, platform independent open source
framework written in Ruby
drive visitor component like web browser simulator to visit web
servers
use analysis engine to determine if the system’s security
policies are violated
Capture-HPC: high-interaction client-side honeypot developed
by many researchers using Java and C at Victoria University
of Wellington
capture server is responsible for controlling capture clients
capture client is responsible for recording the system activities
in real-time
Bing Yuan Client-Side Honeypots

29.
Motivation
The Client-Side Honeypot Overview
The CHP System Classiﬁcation
Attack Patterns Client-side honeypot projects
Future works
Client-side honeypot projects (1)
HoneyC: low-interaction client-side honeypot developed by
Christian Seifert in 2006, platform independent open source
framework written in Ruby
drive visitor component like web browser simulator to visit web
servers
use analysis engine to determine if the system’s security
policies are violated
Capture-HPC: high-interaction client-side honeypot developed
by many researchers using Java and C at Victoria University
of Wellington
capture server is responsible for controlling capture clients
capture client is responsible for recording the system activities
in real-time
Bing Yuan Client-Side Honeypots

30.
Motivation
The Client-Side Honeypot Overview
The CHP System Classiﬁcation
Attack Patterns Client-side honeypot projects
Future works
Client-side honeypot projects (1)
HoneyC: low-interaction client-side honeypot developed by
Christian Seifert in 2006, platform independent open source
framework written in Ruby
drive visitor component like web browser simulator to visit web
servers
use analysis engine to determine if the system’s security
policies are violated
Capture-HPC: high-interaction client-side honeypot developed
by many researchers using Java and C at Victoria University
of Wellington
capture server is responsible for controlling capture clients
capture client is responsible for recording the system activities
in real-time
Bing Yuan Client-Side Honeypots

31.
Motivation
The Client-Side Honeypot Overview
The CHP System Classiﬁcation
Attack Patterns Client-side honeypot projects
Future works
Client-side honeypot projects (1)
HoneyC: low-interaction client-side honeypot developed by
Christian Seifert in 2006, platform independent open source
framework written in Ruby
drive visitor component like web browser simulator to visit web
servers
use analysis engine to determine if the system’s security
policies are violated
Capture-HPC: high-interaction client-side honeypot developed
by many researchers using Java and C at Victoria University
of Wellington
capture server is responsible for controlling capture clients
capture client is responsible for recording the system activities
in real-time
Bing Yuan Client-Side Honeypots

32.
Motivation
The Client-Side Honeypot Overview
The CHP System Classiﬁcation
Attack Patterns Client-side honeypot projects
Future works
Client-side honeypot projects (1)
HoneyC: low-interaction client-side honeypot developed by
Christian Seifert in 2006, platform independent open source
framework written in Ruby
drive visitor component like web browser simulator to visit web
servers
use analysis engine to determine if the system’s security
policies are violated
Capture-HPC: high-interaction client-side honeypot developed
by many researchers using Java and C at Victoria University
of Wellington
capture server is responsible for controlling capture clients
capture client is responsible for recording the system activities
in real-time
Bing Yuan Client-Side Honeypots

33.
Motivation
The Client-Side Honeypot Overview
The CHP System Classiﬁcation
Attack Patterns Client-side honeypot projects
Future works
Client-side honeypot projects (1)
HoneyC: low-interaction client-side honeypot developed by
Christian Seifert in 2006, platform independent open source
framework written in Ruby
drive visitor component like web browser simulator to visit web
servers
use analysis engine to determine if the system’s security
policies are violated
Capture-HPC: high-interaction client-side honeypot developed
by many researchers using Java and C at Victoria University
of Wellington
capture server is responsible for controlling capture clients
capture client is responsible for recording the system activities
in real-time
Bing Yuan Client-Side Honeypots

34.
Motivation
The Client-Side Honeypot Overview
The CHP System Classiﬁcation
Attack Patterns Client-side honeypot projects
Future works
Client-side honeypot projects (2)
Honeyclient: the ﬁrst open source high-interaction client-side
honeypot developed by Kathy Wang using Perl in early 2005
establish two baselines of system ﬁles and registry entries
before and after visiting one whole domain
compare these two baselines to ﬁnd integrity changes
HoneyMonkey System: short for Strider HoneyMonkey Exploit
Detection System and was developed by Microsoft in 2005,
ﬁrst high-interaction client-side honeypot system which found
0-day exploit
execute one web browser instance for each malicious URL and
wait for some minutes
in the meantime it will record and analyse the system activities
pipeline of virtual machines with diﬀerent patch levels
Bing Yuan Client-Side Honeypots

35.
Motivation
The Client-Side Honeypot Overview
The CHP System Classiﬁcation
Attack Patterns Client-side honeypot projects
Future works
Client-side honeypot projects (2)
Honeyclient: the ﬁrst open source high-interaction client-side
honeypot developed by Kathy Wang using Perl in early 2005
establish two baselines of system ﬁles and registry entries
before and after visiting one whole domain
compare these two baselines to ﬁnd integrity changes
HoneyMonkey System: short for Strider HoneyMonkey Exploit
Detection System and was developed by Microsoft in 2005,
ﬁrst high-interaction client-side honeypot system which found
0-day exploit
execute one web browser instance for each malicious URL and
wait for some minutes
in the meantime it will record and analyse the system activities
pipeline of virtual machines with diﬀerent patch levels
Bing Yuan Client-Side Honeypots

36.
Motivation
The Client-Side Honeypot Overview
The CHP System Classiﬁcation
Attack Patterns Client-side honeypot projects
Future works
Client-side honeypot projects (2)
Honeyclient: the ﬁrst open source high-interaction client-side
honeypot developed by Kathy Wang using Perl in early 2005
establish two baselines of system ﬁles and registry entries
before and after visiting one whole domain
compare these two baselines to ﬁnd integrity changes
HoneyMonkey System: short for Strider HoneyMonkey Exploit
Detection System and was developed by Microsoft in 2005,
ﬁrst high-interaction client-side honeypot system which found
0-day exploit
execute one web browser instance for each malicious URL and
wait for some minutes
in the meantime it will record and analyse the system activities
pipeline of virtual machines with diﬀerent patch levels
Bing Yuan Client-Side Honeypots

37.
Motivation
The Client-Side Honeypot Overview
The CHP System Classiﬁcation
Attack Patterns Client-side honeypot projects
Future works
Client-side honeypot projects (2)
Honeyclient: the ﬁrst open source high-interaction client-side
honeypot developed by Kathy Wang using Perl in early 2005
establish two baselines of system ﬁles and registry entries
before and after visiting one whole domain
compare these two baselines to ﬁnd integrity changes
HoneyMonkey System: short for Strider HoneyMonkey Exploit
Detection System and was developed by Microsoft in 2005,
ﬁrst high-interaction client-side honeypot system which found
0-day exploit
execute one web browser instance for each malicious URL and
wait for some minutes
in the meantime it will record and analyse the system activities
pipeline of virtual machines with diﬀerent patch levels
Bing Yuan Client-Side Honeypots

38.
Motivation
The Client-Side Honeypot Overview
The CHP System Classiﬁcation
Attack Patterns Client-side honeypot projects
Future works
Client-side honeypot projects (2)
Honeyclient: the ﬁrst open source high-interaction client-side
honeypot developed by Kathy Wang using Perl in early 2005
establish two baselines of system ﬁles and registry entries
before and after visiting one whole domain
compare these two baselines to ﬁnd integrity changes
HoneyMonkey System: short for Strider HoneyMonkey Exploit
Detection System and was developed by Microsoft in 2005,
ﬁrst high-interaction client-side honeypot system which found
0-day exploit
execute one web browser instance for each malicious URL and
wait for some minutes
in the meantime it will record and analyse the system activities
pipeline of virtual machines with diﬀerent patch levels
Bing Yuan Client-Side Honeypots

39.
Motivation
The Client-Side Honeypot Overview
The CHP System Classiﬁcation
Attack Patterns Client-side honeypot projects
Future works
Client-side honeypot projects (2)
Honeyclient: the ﬁrst open source high-interaction client-side
honeypot developed by Kathy Wang using Perl in early 2005
establish two baselines of system ﬁles and registry entries
before and after visiting one whole domain
compare these two baselines to ﬁnd integrity changes
HoneyMonkey System: short for Strider HoneyMonkey Exploit
Detection System and was developed by Microsoft in 2005,
ﬁrst high-interaction client-side honeypot system which found
0-day exploit
execute one web browser instance for each malicious URL and
wait for some minutes
in the meantime it will record and analyse the system activities
pipeline of virtual machines with diﬀerent patch levels
Bing Yuan Client-Side Honeypots

40.
Motivation
The Client-Side Honeypot Overview
The CHP System Classiﬁcation
Attack Patterns Client-side honeypot projects
Future works
Client-side honeypot projects (2)
Honeyclient: the ﬁrst open source high-interaction client-side
honeypot developed by Kathy Wang using Perl in early 2005
establish two baselines of system ﬁles and registry entries
before and after visiting one whole domain
compare these two baselines to ﬁnd integrity changes
HoneyMonkey System: short for Strider HoneyMonkey Exploit
Detection System and was developed by Microsoft in 2005,
ﬁrst high-interaction client-side honeypot system which found
0-day exploit
execute one web browser instance for each malicious URL and
wait for some minutes
in the meantime it will record and analyse the system activities
pipeline of virtual machines with diﬀerent patch levels
Bing Yuan Client-Side Honeypots

41.
Motivation
The Client-Side Honeypot Overview
The CHP System The CI
Attack Patterns The CWSandbox
Future works
Overview
the goal: implement one system which can determine if
clicking on one weblink will cause system’s activities, if yes,
judge if these activities are normal or malicious, when
malicious, further research the URLs which cause the
malicious activities to gain knowledge about client-side attack
patterns
the CHP system is one high-interaction client-side honeypot
and contains CI(Crawl and Identify) developed by me using
C++ and CWSandbox developed by Carsten Willems using
Delphi, it runs on Windows XP/2000
Bing Yuan Client-Side Honeypots

42.
Motivation
The Client-Side Honeypot Overview
The CHP System The CI
Attack Patterns The CWSandbox
Future works
Overview
the goal: implement one system which can determine if
clicking on one weblink will cause system’s activities, if yes,
judge if these activities are normal or malicious, when
malicious, further research the URLs which cause the
malicious activities to gain knowledge about client-side attack
patterns
the CHP system is one high-interaction client-side honeypot
and contains CI(Crawl and Identify) developed by me using
C++ and CWSandbox developed by Carsten Willems using
Delphi, it runs on Windows XP/2000
Bing Yuan Client-Side Honeypots

43.
Motivation
The Client-Side Honeypot Overview
The CHP System The CI
Attack Patterns The CWSandbox
Future works
Which system activities should be controlled
ﬁles: created, deleted, modiﬁed ﬁles
registry entries: created, deleted, modiﬁed
keys/data/values
processes: opened, created, terminated processes
network connections: malicious network connections
memory: ultimate goal of system control, because most
malwares leave traces in the memory, but it is not easy to be
implemented
Bing Yuan Client-Side Honeypots

44.
Motivation
The Client-Side Honeypot Overview
The CHP System The CI
Attack Patterns The CWSandbox
Future works
Which system activities should be controlled
ﬁles: created, deleted, modiﬁed ﬁles
registry entries: created, deleted, modiﬁed
keys/data/values
processes: opened, created, terminated processes
network connections: malicious network connections
memory: ultimate goal of system control, because most
malwares leave traces in the memory, but it is not easy to be
implemented
Bing Yuan Client-Side Honeypots

45.
Motivation
The Client-Side Honeypot Overview
The CHP System The CI
Attack Patterns The CWSandbox
Future works
Which system activities should be controlled
ﬁles: created, deleted, modiﬁed ﬁles
registry entries: created, deleted, modiﬁed
keys/data/values
processes: opened, created, terminated processes
network connections: malicious network connections
memory: ultimate goal of system control, because most
malwares leave traces in the memory, but it is not easy to be
implemented
Bing Yuan Client-Side Honeypots

46.
Motivation
The Client-Side Honeypot Overview
The CHP System The CI
Attack Patterns The CWSandbox
Future works
Which system activities should be controlled
ﬁles: created, deleted, modiﬁed ﬁles
registry entries: created, deleted, modiﬁed
keys/data/values
processes: opened, created, terminated processes
network connections: malicious network connections
memory: ultimate goal of system control, because most
malwares leave traces in the memory, but it is not easy to be
implemented
Bing Yuan Client-Side Honeypots

47.
Motivation
The Client-Side Honeypot Overview
The CHP System The CI
Attack Patterns The CWSandbox
Future works
Which system activities should be controlled
ﬁles: created, deleted, modiﬁed ﬁles
registry entries: created, deleted, modiﬁed
keys/data/values
processes: opened, created, terminated processes
network connections: malicious network connections
memory: ultimate goal of system control, because most
malwares leave traces in the memory, but it is not easy to be
implemented
Bing Yuan Client-Side Honeypots

49.
Motivation
The Client-Side Honeypot Overview
The CHP System The CI
Attack Patterns The CWSandbox
Future works
The GUI of CI
Bing Yuan Client-Side Honeypots

50.
Motivation
The Client-Side Honeypot Overview
The CHP System The CI
Attack Patterns The CWSandbox
Future works
The crawling part
How to build URL-list?
the ﬁrst 100 search results (URLs)
blacklist which contains known malicious URLs
extract URLs from the email body
extract URLs from the crawled webpages
the malicious URLs we indentiﬁed after one execution
Bing Yuan Client-Side Honeypots

51.
Motivation
The Client-Side Honeypot Overview
The CHP System The CI
Attack Patterns The CWSandbox
Future works
The crawling part
How to build URL-list?
the ﬁrst 100 search results (URLs)
blacklist which contains known malicious URLs
extract URLs from the email body
extract URLs from the crawled webpages
the malicious URLs we indentiﬁed after one execution
Bing Yuan Client-Side Honeypots

52.
Motivation
The Client-Side Honeypot Overview
The CHP System The CI
Attack Patterns The CWSandbox
Future works
The crawling part
How to build URL-list?
the ﬁrst 100 search results (URLs)
blacklist which contains known malicious URLs
extract URLs from the email body
extract URLs from the crawled webpages
the malicious URLs we indentiﬁed after one execution
Bing Yuan Client-Side Honeypots

53.
Motivation
The Client-Side Honeypot Overview
The CHP System The CI
Attack Patterns The CWSandbox
Future works
The crawling part
How to build URL-list?
the ﬁrst 100 search results (URLs)
blacklist which contains known malicious URLs
extract URLs from the email body
extract URLs from the crawled webpages
the malicious URLs we indentiﬁed after one execution
Bing Yuan Client-Side Honeypots

54.
Motivation
The Client-Side Honeypot Overview
The CHP System The CI
Attack Patterns The CWSandbox
Future works
The crawling part
How to build URL-list?
the ﬁrst 100 search results (URLs)
blacklist which contains known malicious URLs
extract URLs from the email body
extract URLs from the crawled webpages
the malicious URLs we indentiﬁed after one execution
Bing Yuan Client-Side Honeypots

55.
Motivation
The Client-Side Honeypot Overview
The CHP System The CI
Attack Patterns The CWSandbox
Future works
Crawling parameters
breadth: how many weblinks in one webpage we want to click
on
depth: how many layers we want to visit, for example if the
depth equals two, then the current webpage is the zero layer,
we click on the weblinks at the zero layer to go to the ﬁrst
layer, then go to the second layer by clicking on the weblinks
at the ﬁrst layer
length: time length between visiting two URLs
Bing Yuan Client-Side Honeypots

56.
Motivation
The Client-Side Honeypot Overview
The CHP System The CI
Attack Patterns The CWSandbox
Future works
Crawling parameters
breadth: how many weblinks in one webpage we want to click
on
depth: how many layers we want to visit, for example if the
depth equals two, then the current webpage is the zero layer,
we click on the weblinks at the zero layer to go to the ﬁrst
layer, then go to the second layer by clicking on the weblinks
at the ﬁrst layer
length: time length between visiting two URLs
Bing Yuan Client-Side Honeypots

57.
Motivation
The Client-Side Honeypot Overview
The CHP System The CI
Attack Patterns The CWSandbox
Future works
Crawling parameters
breadth: how many weblinks in one webpage we want to click
on
depth: how many layers we want to visit, for example if the
depth equals two, then the current webpage is the zero layer,
we click on the weblinks at the zero layer to go to the ﬁrst
layer, then go to the second layer by clicking on the weblinks
at the ﬁrst layer
length: time length between visiting two URLs
Bing Yuan Client-Side Honeypots

65.
Motivation
The Client-Side Honeypot Overview
The CHP System The CI
Attack Patterns The CWSandbox
Future works
Introduction
the CWSandbox can automatically analyse the malware’s
behaviours by running the malwares and intercepting all
important calls to the Windows API which will cause
correspondent system activities
the CWSandbox uses hook technologies, hooking one function
means the interception of calls to this function by some other
function called hook
ﬁnally it will generate one summarized report
Bing Yuan Client-Side Honeypots

66.
Motivation
The Client-Side Honeypot Overview
The CHP System The CI
Attack Patterns The CWSandbox
Future works
Introduction
the CWSandbox can automatically analyse the malware’s
behaviours by running the malwares and intercepting all
important calls to the Windows API which will cause
correspondent system activities
the CWSandbox uses hook technologies, hooking one function
means the interception of calls to this function by some other
function called hook
ﬁnally it will generate one summarized report
Bing Yuan Client-Side Honeypots

67.
Motivation
The Client-Side Honeypot Overview
The CHP System The CI
Attack Patterns The CWSandbox
Future works
Introduction
the CWSandbox can automatically analyse the malware’s
behaviours by running the malwares and intercepting all
important calls to the Windows API which will cause
correspondent system activities
the CWSandbox uses hook technologies, hooking one function
means the interception of calls to this function by some other
function called hook
ﬁnally it will generate one summarized report
Bing Yuan Client-Side Honeypots

68.
Motivation
The Client-Side Honeypot Overview
The CHP System The CI
Attack Patterns The CWSandbox
Future works
The Integration of CI and CWSandbox
the CWSandbox drives one IE instance as malware which can
be captured by the CI
the CI continuously crawls the URLs from the URL list using
this IE instance
in the meantime the system activities caused by visiting these
URLs are recorded by CWSandbox
the CWSandbox generates one summarized report of the
system activities
the identify part of the CI parses and analyse this report to
judge which activities are malicious
Bing Yuan Client-Side Honeypots

69.
Motivation
The Client-Side Honeypot Overview
The CHP System The CI
Attack Patterns The CWSandbox
Future works
The Integration of CI and CWSandbox
the CWSandbox drives one IE instance as malware which can
be captured by the CI
the CI continuously crawls the URLs from the URL list using
this IE instance
in the meantime the system activities caused by visiting these
URLs are recorded by CWSandbox
the CWSandbox generates one summarized report of the
system activities
the identify part of the CI parses and analyse this report to
judge which activities are malicious
Bing Yuan Client-Side Honeypots

70.
Motivation
The Client-Side Honeypot Overview
The CHP System The CI
Attack Patterns The CWSandbox
Future works
The Integration of CI and CWSandbox
the CWSandbox drives one IE instance as malware which can
be captured by the CI
the CI continuously crawls the URLs from the URL list using
this IE instance
in the meantime the system activities caused by visiting these
URLs are recorded by CWSandbox
the CWSandbox generates one summarized report of the
system activities
the identify part of the CI parses and analyse this report to
judge which activities are malicious
Bing Yuan Client-Side Honeypots

71.
Motivation
The Client-Side Honeypot Overview
The CHP System The CI
Attack Patterns The CWSandbox
Future works
The Integration of CI and CWSandbox
the CWSandbox drives one IE instance as malware which can
be captured by the CI
the CI continuously crawls the URLs from the URL list using
this IE instance
in the meantime the system activities caused by visiting these
URLs are recorded by CWSandbox
the CWSandbox generates one summarized report of the
system activities
the identify part of the CI parses and analyse this report to
judge which activities are malicious
Bing Yuan Client-Side Honeypots

72.
Motivation
The Client-Side Honeypot Overview
The CHP System The CI
Attack Patterns The CWSandbox
Future works
The Integration of CI and CWSandbox
the CWSandbox drives one IE instance as malware which can
be captured by the CI
the CI continuously crawls the URLs from the URL list using
this IE instance
in the meantime the system activities caused by visiting these
URLs are recorded by CWSandbox
the CWSandbox generates one summarized report of the
system activities
the identify part of the CI parses and analyse this report to
judge which activities are malicious
Bing Yuan Client-Side Honeypots

73.
Motivation
The Client-Side Honeypot
The CHP System
Attack Patterns
Future works
Attack Patterns (1)
malwares use social engineering to disguise themselves, such
as ”svchost.exe”
redirect user’s network connections using e.g. invisible
”iframe”
malicious websites put their weblinks on the webpages of
other websites
conceal the source code using obfuscation method, even many
times
Bing Yuan Client-Side Honeypots

74.
Motivation
The Client-Side Honeypot
The CHP System
Attack Patterns
Future works
Attack Patterns (1)
malwares use social engineering to disguise themselves, such
as ”svchost.exe”
redirect user’s network connections using e.g. invisible
”iframe”
malicious websites put their weblinks on the webpages of
other websites
conceal the source code using obfuscation method, even many
times
Bing Yuan Client-Side Honeypots

75.
Motivation
The Client-Side Honeypot
The CHP System
Attack Patterns
Future works
Attack Patterns (1)
malwares use social engineering to disguise themselves, such
as ”svchost.exe”
redirect user’s network connections using e.g. invisible
”iframe”
malicious websites put their weblinks on the webpages of
other websites
conceal the source code using obfuscation method, even many
times
Bing Yuan Client-Side Honeypots

76.
Motivation
The Client-Side Honeypot
The CHP System
Attack Patterns
Future works
Attack Patterns (1)
malwares use social engineering to disguise themselves, such
as ”svchost.exe”
redirect user’s network connections using e.g. invisible
”iframe”
malicious websites put their weblinks on the webpages of
other websites
conceal the source code using obfuscation method, even many
times
Bing Yuan Client-Side Honeypots

77.
Motivation
The Client-Side Honeypot
The CHP System
Attack Patterns
Future works
Attack Patterns (2)
use diﬀerent scripting languages, such as mixture of VBScript
and Java Script
use script code to directly operate on the local system, such
as using ”Scripting.FileSystemObject” object
malwares use various methods to create/execute/delete
themselves in the same time
malwares use rootkit technologies to hide themselves
Bing Yuan Client-Side Honeypots

78.
Motivation
The Client-Side Honeypot
The CHP System
Attack Patterns
Future works
Attack Patterns (2)
use diﬀerent scripting languages, such as mixture of VBScript
and Java Script
use script code to directly operate on the local system, such
as using ”Scripting.FileSystemObject” object
malwares use various methods to create/execute/delete
themselves in the same time
malwares use rootkit technologies to hide themselves
Bing Yuan Client-Side Honeypots

79.
Motivation
The Client-Side Honeypot
The CHP System
Attack Patterns
Future works
Attack Patterns (2)
use diﬀerent scripting languages, such as mixture of VBScript
and Java Script
use script code to directly operate on the local system, such
as using ”Scripting.FileSystemObject” object
malwares use various methods to create/execute/delete
themselves in the same time
malwares use rootkit technologies to hide themselves
Bing Yuan Client-Side Honeypots

80.
Motivation
The Client-Side Honeypot
The CHP System
Attack Patterns
Future works
Attack Patterns (2)
use diﬀerent scripting languages, such as mixture of VBScript
and Java Script
use script code to directly operate on the local system, such
as using ”Scripting.FileSystemObject” object
malwares use various methods to create/execute/delete
themselves in the same time
malwares use rootkit technologies to hide themselves
Bing Yuan Client-Side Honeypots

81.
Motivation
The Client-Side Honeypot
The CHP System
Attack Patterns
Future works
Future works (1)
further improve the CHP system and expand ﬁlter patterns
test the CHP system in the Laboratory for Dependable
Distributed Systems at the University of Mannheim and the
Honeynet Organization
improve the email part, let it research the vulnerabilities of the
email client, this must be coordinated with CWSandbox which
can monitor activities such as opening emails or email
attachments
add the network control part
Bing Yuan Client-Side Honeypots

82.
Motivation
The Client-Side Honeypot
The CHP System
Attack Patterns
Future works
Future works (1)
further improve the CHP system and expand ﬁlter patterns
test the CHP system in the Laboratory for Dependable
Distributed Systems at the University of Mannheim and the
Honeynet Organization
improve the email part, let it research the vulnerabilities of the
email client, this must be coordinated with CWSandbox which
can monitor activities such as opening emails or email
attachments
add the network control part
Bing Yuan Client-Side Honeypots

83.
Motivation
The Client-Side Honeypot
The CHP System
Attack Patterns
Future works
Future works (1)
further improve the CHP system and expand ﬁlter patterns
test the CHP system in the Laboratory for Dependable
Distributed Systems at the University of Mannheim and the
Honeynet Organization
improve the email part, let it research the vulnerabilities of the
email client, this must be coordinated with CWSandbox which
can monitor activities such as opening emails or email
attachments
add the network control part
Bing Yuan Client-Side Honeypots

84.
Motivation
The Client-Side Honeypot
The CHP System
Attack Patterns
Future works
Future works (1)
further improve the CHP system and expand ﬁlter patterns
test the CHP system in the Laboratory for Dependable
Distributed Systems at the University of Mannheim and the
Honeynet Organization
improve the email part, let it research the vulnerabilities of the
email client, this must be coordinated with CWSandbox which
can monitor activities such as opening emails or email
attachments
add the network control part
Bing Yuan Client-Side Honeypots

85.
Motivation
The Client-Side Honeypot
The CHP System
Attack Patterns
Future works
Future works (2)
improve the integrity control part, through better
conﬁguration and implementation, the integrity control
approach may also work very eﬃciently
the CWSandbox is not one open source project, so maybe we
can build one own real-time monitoring kernel
deepen the theoretical research of the client-side honeypot
which can help us better improve the CHP system
build one central repository which can be accessed through
project website or CI, this repository will store the malicious
URLs and their activities, all distributed users all over the
world can run the CHP system and submit malicious URLs
they found to this central repository
Bing Yuan Client-Side Honeypots

86.
Motivation
The Client-Side Honeypot
The CHP System
Attack Patterns
Future works
Future works (2)
improve the integrity control part, through better
conﬁguration and implementation, the integrity control
approach may also work very eﬃciently
the CWSandbox is not one open source project, so maybe we
can build one own real-time monitoring kernel
deepen the theoretical research of the client-side honeypot
which can help us better improve the CHP system
build one central repository which can be accessed through
project website or CI, this repository will store the malicious
URLs and their activities, all distributed users all over the
world can run the CHP system and submit malicious URLs
they found to this central repository
Bing Yuan Client-Side Honeypots

87.
Motivation
The Client-Side Honeypot
The CHP System
Attack Patterns
Future works
Future works (2)
improve the integrity control part, through better
conﬁguration and implementation, the integrity control
approach may also work very eﬃciently
the CWSandbox is not one open source project, so maybe we
can build one own real-time monitoring kernel
deepen the theoretical research of the client-side honeypot
which can help us better improve the CHP system
build one central repository which can be accessed through
project website or CI, this repository will store the malicious
URLs and their activities, all distributed users all over the
world can run the CHP system and submit malicious URLs
they found to this central repository
Bing Yuan Client-Side Honeypots

88.
Motivation
The Client-Side Honeypot
The CHP System
Attack Patterns
Future works
Future works (2)
improve the integrity control part, through better
conﬁguration and implementation, the integrity control
approach may also work very eﬃciently
the CWSandbox is not one open source project, so maybe we
can build one own real-time monitoring kernel
deepen the theoretical research of the client-side honeypot
which can help us better improve the CHP system
build one central repository which can be accessed through
project website or CI, this repository will store the malicious
URLs and their activities, all distributed users all over the
world can run the CHP system and submit malicious URLs
they found to this central repository
Bing Yuan Client-Side Honeypots